Thanks to Marvel (okay, Disney) and the success of the Avengers, a whole new generation is growing familiar with today’s versions of Thor, Loki, Odin, and the rest of the gang over in Asgard. It’s old Norse legend, reimagined into not-so-old comics, reimagined into blockbuster films. What was old is new again.
In a weird parallel universe (multiverse, anyone?) Another old Loki has become new again.
This week the media drew attention to a recent attack which made use of the 20 year old Loki2 exploit. Much of the interest around the story was due to the fact that the researchers who investigated the attack are linking this new attack, with attacks that are more than 20 years old. The implication is that this same Russian attack group may have been operating since the 1990s.
With state-sponsored attacks garnering so much media attention in the last few months, this storyline—focused on identifying the attacker—fits nicely into current public interest. But the fact that a hacking group may have been active for a long time isn’t that important in the grand scheme of security. What’s arguably more important is that even very old exploits remain relevant and viable, despite decades of cyber security innovation!
We in the industry often spend a lot of time on the “new.” Everything is next-gen. Threats are so new that zero days was still too many, and we have moved to zero hour. We are hyper-focused on the new. But focusing on the new can often leave us exposed to older, proven attacks.
Bottom line: Just because an attack is old, doesn’t mean it’s ineffective.
The Loki2 exploit may be a remnant of the 90s, but rather than fade into obscurity, it’s more of a classic. More like Radiohead, and less like Smash Mouth.
Loki2’s staying power likely has something to do with its elegance. It allows attackers to tunnel information to and from targeted systems by exploiting the fact that ICMP (and DNS) packets are often passed without investigation by security systems.
ICMP packets (used commonly to execute ping commands), contain space for a data payload. The thing is, for ECHO and ECHO_REPLY, this data payload can be stuffed with arbitrary data. Since the header information is still valid, and the packets are performing as normal, the atypical payload goes unnoticed without deep packet inspection. Add a little encryption, and properly configured machines can transfer tunneled information over a protocol that’s often open and available for attackers.
This type of tunneling is as old as the Internet. It’s almost quaint in its simplicity. But it can still be an effective part of a modern kill chain. While we’re worried about today’s newest APT, or thinking about investing in a next-next-gen firewall, attackers are still winning.
We have to consider both the new, and the old. We can’t just blindly buy and buy, and build more and more walls around our data, and hope that they’ll “just work.” It’s time to be data driven. It’s time to validate that our defenses work the way we expect them to, and to remediate quickly when they don’t.
It’s time for Continuous Security Validation.
We added Loki2 to to the SafeBreach Hacker’s Playbook last week, as Breach Method #1278. As with all our other simulations, customers automatically see the results of this type of breach method within their networks when they use SafeBreach to safely test and validate their security.
By using breach simulations to continuously validate our security controls, our customers can more effectively use the tools and investments they’ve already made made. They can unleash a virtual hacker to understand their risk, and remediate quickly. Like Thor, they can wield a mighty security Hammer to crush the threats of both yesterday, and tomorrow!
Ahem. Excuse me. I got a little carried away. But while it might not grant otherworldly powers, Continuous Security Validation can indeed empower us all to do more with what we have, and to stop threats before they impact our businesses. And that’s pretty super!